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Abstract — The  smart  grid  is  an  emerging  cyber-physical  system 
that  integrates  power  infrastructures  with  information  technolo¬ 
gies.  In  the  smart  grid,  wireless  networks  have  been  proposed 
for  efficient  communications.  However,  the  jamming  attack  that 
broadcasts  radio  interference  is  a  primary  security  threat  to 
prevent  the  deployment  of  wireless  networks.  Hence,  spread 
spectrum  systems  with  jamming  resilience  must  be  adapted  to  the 
smart  grid  to  secure  wireless  communications.  There  have  been 
extensive  works  on  designing  spread  spectrum  schemes  to  achieve 
feasible  communication  under  jamming  attacks.  Nevertheless,  an 
open  question  in  the  smart  grid  is  how  to  minimize  message 
delay  for  timely  communication  in  power  applications.  In  this 
paper,  we  address  this  problem  in  a  wireless  network  with  spread 
spectrum  systems  for  the  smart  grid.  By  defining  a  generic 
jamming  process  that  characterizes  a  wide  range  of  existing 
jamming  models,  we  show  that  the  worst-case  message  delay  is 
a  U-shaped  function  of  network  traffic  load.  This  indicates  that, 
interestingly,  increasing  a  fair  amount  of  redundant  traffic,  called 
camouflage,  can  improve  the  worst-case  delay  performance.  We 
demonstrate  via  experiments  that  transmitting  camouflage  traffic 
can  decrease  the  probability  that  a  message  is  not  delivered  on 
time  in  order  of  magnitude  for  smart  grid  applications. 

I.  Introduction 

The  smart  grid  is  an  emerging  cyber-physical  system  that 
incorporates  networked  control  mechanisms  (e.g,  advanced 
metering  and  demand  response)  into  conventional  power  in¬ 
frastructures  [1].  To  facilitate  information  delivery  for  such 
mechanisms,  wireless  networks  that  provide  flexible  and  un¬ 
tethered  network  access  have  been  proposed  and  designed 
for  a  variety  of  smart  grid  applications  [2]— [4].  However, 
the  use  of  wireless  networks  introduces  potential  security 
vulnerabilities  due  to  the  shared  nature  of  wireless  channels.  It 
has  been  pointed  out  in  [1],  [2]  that  the  jamming  attack,  which 
uses  radio  interference  to  disrupt  wireless  communications 
[5],  [6],  can  result  in  network  performance  degradation  and 
even  denial-of-service  in  power  applications,  thereby  being  a 
primary  security  threat  to  prevent  the  deployment  of  wireless 
networks  for  the  smart  grid.  How  to  defend  against  jamming 
attacks  is  of  critical  importance  to  secure  wireless  communi¬ 
cations  in  the  smart  grid. 

There  have  been  extensive  works  on  designing  spread  spec¬ 
trum  based  communication  schemes,  which  provide  jamming 
resilience  by  using  multiple  orthogonal  frequency  or  code 
channels  [6],  [7].  Interesting  enough,  most  efforts  attempt 

The  work  is  sponsored  by  ARO  under  Grant  Number  53435-CS-SR  and 
NSF  Career  Award  CNS-0546289. 


to  design  point-to-point  or  broadcast  schemes  such  that  a 
message  can  be  sent  to  its  destination.  However,  the  key 
question  to  jamming-resilient  communication  for  the  smart 
grid  is  not  whether  a  message  can  finally  reach  its  destination, 
but  whether  it  can  be  successfully  delivered  on  time  for  time- 
critical  power  applications.  For  example,  substation  messages 
have  3ms-500ms  delay  constraints  for  reliable  operation  [8], 
The  over-due  delivery  of  such  messages  directly  results  in 
communication  failure,  and  can  potentially  lead  to  system 
instability  [3],  [9].  Therefore,  an  open  question  in  the  smart 
grid  is  how  to  minimize  message  delay  in  spread  spectrum 
based  wireless  networks  under  jamming  attacks. 

In  this  paper,  we  address  this  issue  by  considering  a  wireless 
network  that  uses  multiple  frequency  and  code  channels  to 
provide  jamming  resilience  for  time-critical  smart  grid  appli¬ 
cations.  As  message  delivery  in  the  smart  grid  becomes  invalid 
as  long  as  its  delay  D  is  greater  than  the  delay  threshold  a, 
our  goal  is  to  minimize  the  message  invalidation  probability 
P (D>d)  in  the  presence  of  jamming  attacks.  A  key  observation 
in  our  approach  is  that  there  are  two  opposites  in  the  network: 
the  network  operator  and  jammer  attempt  to  minimize  and 
maximize  P(D>o),  respectively.  As  a  result,  we  adopt  a  min- 
max  approach  to  study  the  problem:  i)  find  out  which  jamming 
attack  can  maximize  P(D>o)  (e.g.  the  worst-case  attack),  ii) 
given  the  worst-case  attack,  attempt  to  minimize  P(D>cr). 

To  find  out  the  worst-case  attack,  we  first  define  a  generic 
jamming  process  that  includes  a  wide  range  of  existing  jam¬ 
ming  models.  Then,  we  show  via  theoretical  analysis  that  the 
worst-case  delay  performance  is  always  induced  by  reactive 
jamming,  which  only  sends  jamming  signals  when  it  senses 
any  transmission.  Specifically,  we  find  that  under  reactive 
jamming,  the  message  invalidation  probability  is  a  U-shaped 
(first  decreasing,  then  increasing)  function  of  the  network 
traffic  load.  This  indicates  that,  interestingly,  increasing  a 
fair  amount  of  redundant  traffic  (called  camouflage )  into  the 
network  can  improve  the  delay  performance  for  wireless  smart 
grid  applications  under  reactive  jamming.  Experiments  show 
that  camouflage  traffic  can  decrease  the  message  invalidation 
probability  in  order  of  magnitude,  and  thus  it  is  a  promising 
solution  to  combat  reactive  jamming  for  smart  grid  applica¬ 
tions 

The  rest  of  this  paper  is  organized  as  follows.  In  Section  II, 
we  introduce  preliminaries  and  models.  In  Sections  III  and  IV, 
we  show  camouflage  traffic  can  minimize  the  worst-case 
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message  delay.  Finally,  we  conclude  in  Section  V. 

II.  Models  and  Problem  Formulation 

In  this  section,  we  introduce  network,  communication  and 
attack  models,  and  then  formulate  the  research  problem. 

A.  Network  Model 

Wireless  networks  in  the  smart  grid  are  in  general  used 
for  local-area  smart  grid  applications,  such  as  substation 
automation  and  distributed  energy  management  [3],  [4].  Both 
frequency  hopping  spread  spectrum  (FHSS)  and  direct  se¬ 
quence  spread  spectrum  (DSSS)  have  been  proposed  to  be 
used  in  such  networks  to  combat  potential  jamming  attacks 
[3],  [10].  Thus,  in  this  paper,  we  consider  a  wireless  local-area 
network  J\f{m ,  Nf ,  Nc)  for  local-area  smart  grid  applications, 
where  m  is  the  number  of  nodes  in  the  network,  Nf  and  Nc 
are  the  numbers  of  frequency  and  code  channels,  respectively. 

In  local-area  smart  grid  applications,  a  large  amount  of 
network  traffic  features  a  constant  traffic  model  for  continuous 
monitoring  and  control  of  power  equipments  [3],  [8],  [9]. 
In  addition,  nodes  can  have  distinct  network  traffic  loads 
for  different  applications.  For  example,  merging-units  in  a 
substation  can  send  data  of  sampled  power  signal  quality 
at  various  rates  of  960-4800  messages/second,  dependent  on 
configuration  [9], 

Thus,  we  assume  that  there  are  heterogeneous  traffic  loads  in 
network  J\f(m ,  Nf,  JVC);  i.e.,  node  i  has  a  constant  traffic  load 
of  A i  messages/second  (i  £  {1,  2,  ■  •  •  ,  to})  in  the  network. 

B.  Communication  and  Interference  Models 

In  the  smart  grid,  to  ensure  in-time  monitoring  and  con¬ 
trol  of  power  devices,  a  large  amount  of  communication 
messages  have  stringent  timing  requirements.  For  example, 
substation  applications  have  3ms-500ms  delay  constraints 
for  message  delivery  [8].  We  refer  to  such  messages  as 
time-critical  messages.  The  nature  of  time-critical  messages 
indicates  that  they  should  be  immediately  transmitted  and 
avoid  being  buffered.  For  example,  time-critical  messaging  in 
substation  communications  [8]  features  a  simple  transmission 
mechanism  at  the  application  layer:  bypass  TCP  and  retransmit 
the  same  message  multiple  times  to  ensure  timely  delivery 
and  reliability.  Thus,  we  also  adopt  such  a  mechanism  at  the 
application  layer  of  each  node. 

When  a  message  is  passed  from  the  application  layer  to 
the  MAC  layer,  traditionally,  CSMA/CA  is  used  to  sense 
the  channel  activity  before  sending  the  message.  However, 
CSMA/CA  is  primarily  designed  for  one-channel  networks, 
and  may  not  be  efficient  in  spread  spectrum  systems.  In 
network  N{m,N f,Nc),  the  wireless  channel  is  separated 
into  Nf  frequency  and  Nc  code  channels.  Such  channels 
can  be  considered  orthogonal  to  each  other.  Even  if  there 
are  multiple  wireless  transmissions  over  the  same  frequency 
channel,  they  will  be  successfully  decoded  at  receivers  as  long 
as  they  use  distinct  code  channels.  CSMA/CA,  which  defers  a 
transmission  after  sensing  any  activity  on  a  frequency  channel, 
may  unintentionally  degrade  the  delay  performance. 


As  a  result,  we  assume  that  when  the  MAC  layer  receives  a 
message,  it  will  directly  transmit  the  message  on  a  frequency- 
code  channel  pair,  the  (/,  j)-th  channel.  Since  the  application 
layer  will  retransmit  the  message  multiple  times,  the  MAC 
layer  will  assign  a  different  frequency-code  channel  to  each 
retransmission.  The  assignment  is  a  secret  key  known  only 
to  the  sender  and  receiver.  In  addition,  we  assume  that  for 
a  sender-receiver  pair,  each  channel  assignment  is  uniformly 
distributed  over  all  NfNc  channels  such  that  the  chance  of 
channel  collision  among  legitimate  nodes  can  be  minimized. 

We  assume  that  the  message  transmission  on  the  (i,  j)-th 
channel  fails  only  if  at  least  a  portion  p  (0  <  p  <  1)  of  the 
transmission  is  disrupted  by  jamming  or  collides  with  other 
legitimate  traffic  on  the  same  (/,  j)-th  channel.  In  other  words, 
we  assume  that  the  transmission  of  a  message  with  a  bits  on 
a  channel  fails  as  long  as  at  least  pa  bits  are  corrupted. 

C.  Generic  Jamming  Model 

The  objective  of  a  jammer  is  to  broadcast  radio  interference 
to  disrupt  message  delivery  in  network  N{m,  N f ,  Nc).  We 
assume  that  the  jammer  has  the  knowledge  of  the  pools  of 
frequency  and  code  channels.  However,  it  does  not  know  what 
assignments  are  used  by  nodes  to  communicate  with  each 
other  in  that  nodes  can  periodically  use  on-line  jamming- 
resilient  protocols  (e.g.,  [6],  [7])  to  update  secret  keys.  As 
network  N[m,  Nf,  Nc)  has  multiple  channels,  the  jammer  can 
adopt  a  wide  range  of  strategies  to  disrupt  message  delivery. 
There  are  two  major  jamming  types  in  the  literature:  non¬ 
reactive  and  reactive  models  [5]— [7] .  Non-reactive  jammers 
transmit  radio  interference  by  following  their  own  strategies. 
Reactive  jammers  transmit  interference  only  when  they  sense 
any  activity  on  a  wireless  channel.  As  we  attempt  to  find 
out  the  worst-case  attack,  we  define  a  generic  process  to 
accommodate  both  non-reactive  and  reactive  jamming  models. 

Definition  1  (Generic  Jamming  Process):  A  jammer’s  jam¬ 
ming  process  is  denoted  as  a  Markov-renewal  process 

((F,  C),  X)  =  {(Fk,Ck),  Xk\k=l,2,---  }, 

where  ( Fk ,  Ck)  is  the  fc-th  state  denoting  a  targeted  frequency- 
code  channel  pair,  Xk  is  the  renewal  interval  denoting  the  fc- 
th  jamming  duration  on  a  channel.  The  embedded  transition 
matrices  associated  with  states  ( Fk,Ck )  are  denoted  as  Qy 
and  Qc,  respectively.  When  the  jamming  is  non-reactive, 
((F,C),  X)  is  a  continuous  Markov  process,  i.e.,  the  renewal 
interval  Xk  is  exponentially  distributed.  When  the  jamming  is 
reactive,  Xk  =  t  +  .S'/,.  1 ,4  1 ,  where  r  is  the  constant  sensing 
time  for  a  channel,  Sk  is  the  duration  of  the  jamming  signal, 
A  denotes  the  event  that  a  channel  is  sensed  busy. 

As  we  can  see  in  the  Markov-renewal  model,  {Xk }  and 
{(Fk,Ck)}  can  directly  reflect  when  a  certain  channel  is 
affected  by  the  jamming  attack,  and  matrices  Q y  and  Qc  can 
model  what  the  jamming  strategy  is. 

1  1a  denotes  the  indicator  function,  which  have  the  value  1  for  A  and  the 
value  0  for  Ac. 
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D.  Problem  Formulation 

The  primary  goal  of  smart  grid  communication  is  to  achieve 
timely  management  of  power  applications.  Therefore,  the 
delay  performance  is  of  critical  importance.  A  time-critical 
message  becomes  invalid  as  long  as  its  message  delay  D 
is  greater  than  its  delay  constraint  cr.  As  a  result,  we  focus 
on  how  to  minimize  the  message  invalidation  probability 
P(D>a)  under  the  generic  jamming  process  (( F ,  C ),  X ). 

As  there  are  two  opposites  in  the  network:  the  network 
operator  and  the  jammer  attempts  to  minimize  and  maximize 
the  message  delay,  respectively.  The  lowest  bound  of  the 
message  delay  is  always  achieved  when  there  exists  no  jammer 
or  a  naive  jammer.  From  the  perspective  of  security  design, 
it  is  reasonable  to  assume  that  the  network  can  possibly  face 
the  worst-case  attack.  Thus,  we  adopt  a  min-max  approach 
to  study  the  problem  of  minimizing  message  delay  in  the 
smart  grid  under  jamming  attacks:  i)  in  a  wireless  local- 
area  network  Af(m,Nf,Nc),  for  a  time-critical  application 
with  delay  threshold  a,  what  is  the  maximum  impact  of  the 
generic  jamming  process  ((F,  C),X)  on  the  delay  perfor¬ 
mance  P(D>cr);  ii)  given  the  worst-case  scenario  in  Step  1, 
how  to  minimize  P(D>a). 

III.  Theoretical  Analysis 

In  this  section,  we  use  the  min-max  approach  to  analyze  the 
worst-case  message  delay  under  the  generic  jamming  process. 


A.  The  Impact  of  Jamming  Attacks 


Our  first  goal  is  to  find  the  jamming  attack  that  maximizes 
P(D  >  a)  in  the  network.  As  our  generic  jamming  process 
characterizes  both  non-reactive  and  reactive  jammers  with  dis¬ 
tinct  behaviors,  we  provide  analytical  results  of  their  impacts 
on  P {D  >  cr),  respectively.  We  first  present  the  results  on 
reactive  jamming. 

Lemma  1  (Reactive  Jamming):  In  a  wireless  local-area  net¬ 
work  M(m,Nf,Nc)  under  a  reactive  jamming  process 
{ (F,  C) ,  X}  with  sensing  time  r,  for  a  time-critical  application 
at  node  k,  the  message  delay  Dr  satisfies 


P (Dk>a)  <1-1- 


vTr,(1“P)Tfc/ 


NfNc 


1- 


T, 


tN,Nc 


+pT/jk  )) 


(1) 


for  NfNc  sufficiently  large,  where  7).  is  the  message  trans¬ 
mission  duration,  a  is  the  message  delay  threshold,  -ip  = 
j^k  At  and  A?  *s  ^le  traffic  rate  at  node  j. 

Proof:  Without  loss  of  generality,  assume  that  node  1  is 
transmitting  a  message  with  delay  threshold  a.  Each  transmis¬ 
sion  has  a  duration  of  Tl.  The  application  layer  can  transmit 
the  message  at  most  a /Tl  times.  The  1-th  transmission  attempt 
uses  the  (it,,  u;)-th  channel  (1  <  i  <  a /Tl). 

The  message  invalidation  probability  P(Di  >  cr)  is  equal 
to  the  probability  that  all  <j/Tl  transmission  attempts  are 
disrupted  by  either  collision  or  jamming,  i.e., 


P(£>i  >  cr) 


^  n  (■ u  co  j  > 


(2) 


where  Ci  and  J,  denote  the  events  that  the  1-th  transmission 
is  disrupted  by  collision  and  jamming,  respectively. 

First,  we  derive  the  collision  probability  P(Cj).  Since  all 
nodes  have  constant  traffic  rates,  during  node  l’s  1-th  trans¬ 
mission  duration,  there  are  (1  ~p)Tl  EyL  i  A 1  transmissions  at 
other  nodes  that  can  possibly  collide  with  the  1-th  transmission. 
As  the  frequency-code  channel  for  each  transmission  in  the 
network  is  uniformly  assigned  among  all  NfNc  selections, 
the  collision  probability  is  equal  to  the  probability  that  there 
is  at  least  one  other  transmission  colliding  with  node  l's  1-th 
transmission,  which  can  be  written  as 

P (Ci)  =  1  -  (1  -  l/{NfNc)){1~p)TL 71 ,  (3) 

where  71  =  E”l2  Ah 

Then,  we  compute  the  jamming  probability  P(Jj).  For 
the  sake  of  simplicity,  assume  that  the  1-th  transmis¬ 
sion  starts  at  time  0.  Define  a  renewal  process  Nft)  = 
suPne{o,i,2,...}  {EAi  Xt  <  t).  Then  Xx,  X2,  ■  ■  ■  ,  XN.(t)  are 
renewal  intervals  during  period  [0,  t\,  and  Xi  =  r  +  SiIa, 
where  A  denotes  the  event  that  a  channel  is  sensed  with 
activity,  and  Si  is  the  jamming  duration. 

To  maximize  its  damage  to  the  network,  the  reactive  jammer 
should  always  set  the  jamming  duration  Si  to  be  pTl .  This 
means  that  when  the  jammer  senses  a  transmission,  it  always 
chooses  the  minimum  effective  jamming  duration  to  disrupt 
the  transmission  such  that  it  can  immediately  move  on  to  sense 
and  jam  other  channels.  Thus,  we  choose  Si  =  pTl- 

In  order  to  successfully  disrupt  the  1-th  transmission  (e.g., 
Ji  holds),  the  reactive  jammer  must  switch  to  the  (ui,Vi)- 
th  channel  at  least  once  during  [0,(1  —  p)Tl  —  t],  Let  event 
Bi  =  {{Fi  =  Ui\  (~l  {Ci  =  17}}.  Then,  we  have 

P(  J\ \ui,  Vi)  =  P(at  least  one  event  holds  in  {73;}) 

A7((l-p)Ti-T  \  /  Ni((l-p)TL-r 

Y,  1b,  >  1  <  E  E  !*, 

1=1  )  \  1=1 

=  E(Ni((l  —  p)Tl—t))W(Bi) 

=  E(Ni((l-p)TL-T))P(Fl=ui,Ci=vi) 

=  E{Ni{(l—p)TL—r))/(NfNc), 

where  the  first  inequality  follows  from  Markov’s  inequality, 
and  the  third  equality  follows  from  Wald’s  equation.  We  then 
have 

Nc  Nf 

p(Ji)  = 

*= 1 3=1 

=  E{Ni((l-p)TL-T))/(NfNc).  (4) 


To  obtain  E(7Vj((l  —  p)Tl  —  t),  we  first  have  from  the 
elementary  renewal  theorem 

lim  E(7Vj(f))/f  =  1/E(X;),  (5) 

t — KX) 

where  E(A})  =  t  +  pTlP(A),  P(A)  is  the  probability  that  a 
channel  is  sensed  busy  and  P(A)  =  1  —  (1— 1/ (N fNcyfXp)TLl1 . 
Then,  it  is  reasonable  to  assume  that  the  sensing  time  r  <£(Tl 
and  the  average  renewal  interval  E(X;)  7),  since  power 

networks  should  always  have  unsaturated  traffic  loads  [3],  [8] 


3068 


for  timely  monitoring  and  control.  Thus,  it  follows  that 

(1  -  p)TL  -  t  (1  -  p)TL 


E(Ni((l-p)TL-r))  « 
(1  -  p)Tl 


E(Xi) 


-+pTL-pTL  (l- 


NfN. 


(H>)Tl  7i 


E  (Xi) 
(1  ~  p)Tl 
-  |  p(1~p)Tl7i  ' 


(6) 


The  last  approximation  follows  from  the  fact  that  (1  —  x)‘ 
1  — a*  for  small  a;.  From  (4)  and  (6),  we  obtain 

(1  -  p)Tl 


P (Ji)  < 


tN/ ATC  +  p(l  -  p)T|7i ' 


(7) 


Finally,  combining  (2),  (3)  and  (7)  completes  the  proof.  □ 
Next,  we  present  our  results  on  non-reactive  jamming. 
Lemma  2  (Non-Reactive  Jamming):  In  a  wireless  local- 
area  network  M(m,Nf,Nc)  with  a  non-reactive  jamming 
process  {(F,  C),  X},  the  message  delay  Dk  of  a  time-critical 
application  at  node  k  satisfies 


E{Dk>a)<  1—  1- 


TL(l-p)lk. 


NfNc 


1  - 


1  -p  ' 
epNfNCj 


cr/TL 


(8) 

where  Tl  is  the  message  transmission  duration,  a  is  the 
message  delay  threshold,  7&  =  j^k^P  anc*  A;  is  the 

traffic  rate  at  node  j. 

Proof:  We  use  the  similar  technique  in  renewal  theory  to 
prove  Lemma  2.  We  omit  details  due  to  the  page  limit.  □ 

Based  on  Lemmas  1  and  2,  we  show  in  the  following  that 
reactive  jamming  in  general  leads  to  the  worst-case  delay 
performance,  thereby  maximizing  the  damage  to  the  network. 

Theorem  1  (Worst-Case  Delay  Performance):  For  a  wire¬ 
less  local-area  network  M(m,Nf,Nc)  with  sufficiently  large 
NfNc,  the  worst-case  delay  performance  at  node  k  is  always 
induced  by  the  reactive  jamming,  and  its  message  delay 
is  bounded  by  (1). 

Proof:  Comparing  with  (8)  and  (1),  it  suffices  to  show 

_ :  1  ~  ll]  l  - _ >  1  ~  p  (9) 

TNfNc+p(l-p)Tllk  ~  epNfNc ’ 


which  is  equivalent  to 


r  <  epTL  -  p(  1  -  p)Tfok/{NfNc)  (10) 

For  NfNc  sufficiently  large,  p(l  —  p)Tljk/ (NfNc)  «  0. 
Then,  since  e  «  2.718  and  r  <  pi),  (the  sensing  time  is 
smaller  than  the  minimum  jamming  duration),  it  always  holds 
that  t  <  epT f,  which  completes  the  proof.  □ 

Remark  1:  In  practice,  spread  spectrum  systems  should 
always  have  large  Nf  or  Nc  to  effectively  combat  jamming 
attacks.  Thus,  Theorem  1  shows  that  reactive  jamming  is  more 
harmful  than  non-reactive  jamming  in  wireless  networks  for 
the  smart  grid.  From  the  perspective  of  security  design  for  the 
smart  grid,  it  is  reasonable  to  consider  reactive  jamming  as 
the  worst-case  scenario  for  smart  grid  applications. 

Example  1:  Fig.  1  shows  an  example  of  the  worst-case  mes¬ 
sage  invalidation  probabilities  induced  by  both  non-reactive 
(8)  and  reactive  jamming  (1)  for  time-critical  applications  at 
node  k.  We  can  see  that  reactive  jamming  always  leads  to 
worse  delay  performance  than  non-reactive  jamming,  and  that 


Aggregate  Traffic  [Kilo-Messages  per  Second] 

Fig.  1.  Worst-case  delay  performance  P (Dk  >  rr)  versus  aggregate  traffic 
7k  at  node  k  for  time-critical  applications  with  delay  thresholds  of  3-l()ms. 
(N f=Nc=\Q,  T i,-]  ms.  p=0.1,  and  t= 1 00//s  for  reactive  jamming) 


the  delay  performance  at  node  k  also  depends  on  the  aggregate 
traffic  load  7 &.  An  interesting  observation  from  Fig.  1  is 
that  in  the  reactive-jamming  case,  the  message  invalidation 
probability  is  not  minimized  at  7^=0.  Instead,  it  is  minimized 
at  a  fairly  large  value  7^  «  38  kilo-messages/second. 

Remark  2:  Fig.  1  illustrates  that,  interestingly,  the  worst- 
case  delay  (caused  by  reactive  jamming)  is  in  fact  a  U-shaped 
(first-decreasing  then-increasing)  function  of  traffic  load  7 &. 
This  is  due  to  the  sensing  and  reacting  nature  of  reactive 
jamming.  Intuitively,  when  there  is  redundant  traffic  on  a 
channel,  the  reactive  jammer  may  sense  it  and  attempt  to 
jam  it,  which  offers  the  opportunity  for  legitimate  traffic  on 
other  channels  to  pass  through.  On  the  other  hand,  the  over¬ 
increase  of  traffic  will  surely  decrease  the  delay  performance 
since  transmissions  have  a  high  probability  to  collide  with  each 
other.  Hence,  there  should  be  an  optimal  traffic  load  such  that 
the  worst-case  message  delay  can  be  minimized. 

Remark  3:  In  the  smart  grid,  a  node’s  traffic  load  is  usually 
static  and  quite  unsaturated  for  monitoring  and  control  on 
critical  power  devices.  For  example,  wireless  monitoring  for 
substation  transformers  only  needs  to  transmit  a  message 
every  second  [11].  This  indicates  that  in  general,  we  should 
intentionally  increase  a  certain  amount  of  redundant  traffic  to 
obtain  the  optimal  traffic  load.  Then,  legitimate  messages  can 
have  a  chance  to  be  successfully  delivered  during  the  period 
that  jamming  attacks  attempt  to  disrupt  redundant  traffic.  We 
name  such  traffic  as  camouflage  traffic  since  it  serves  as 
camouflage  to  “hide”  legitimate  traffic  from  attacks. 

IV.  Smart  Grid  Application:  Anti-Islanding 

In  this  section,  we  use  experiments  to  measure  how  much 
gain  we  can  obtain  by  transmitting  camouflage  traffic  for  a 
smart  grid  application,  anti-islanding,  under  jamming  attacks. 

A.  Background  on  Anti-Islanding 

Anti-islanding  is  an  important  protection  procedure  for 
distritbuted  energy  resources  (DES)  in  the  smart  grid.  In  power 
engineering,  islanding  [3]  refers  to  the  condition  in  which  dis¬ 
tributed  energy  resources  continue  power  supply  even  though 
the  electric  utility  is  disconnected.  Unintentional  islanding  can 
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Fig.  2.  Message  invalidation  prob-  Fig.  3.  Performance  of  message  de¬ 
ability  versus  traffic  load  under  jam-  livery  with  different  delay  thresholds 
ming  attacks.  under  reactive  jamming. 

cause  many  problems,  such  as  damaging  customers’  loads 
and  harming  distributed  energy  resources.  Thus,  anti-islanding 
protection  procedures  must  be  deployed  in  power  systems  to 
prevent  any  unintentional  islanding. 

An  anti-island  procedure  works  in  the  scenario  where  a  load 
is  supplied  by  both  utility  and  DES:  when  the  utility  supply 
is  disconnected,  the  islanding  is  detected,  an  anti-islanding 
message  is  sent  to  the  DES  to  make  it  stop  generating  power 
and  prevent  potential  damages  to  the  DES.  The  delay  threshold 
of  such  a  message  is  150-300ms  [3]. 

B.  System  Setups 

We  use  universal  software  radio  peripheral  (USRP)  devices 
with  GNU  Radio  to  set  up  a  frequency-hopping  based  wireless 
network  to  provide  jamming  resilience  for  the  anti-islanding 
application.  The  network  consists  of  five  nodes.  Each  node’s 
routine  traffic  is  one  message  of  status  update  to  the  gateway 
node  every  second. 

There  are  8  frequency  hopping  channels  at  the  2.4GHz  band, 
each  of  which  uses  BPSK  modulation  and  has  a  bandwidth 
of  125KHz.  The  lengths  of  anti-islanding  and  camouflage 
message  are  400  and  1000  bytes,  respectively.  The  delay 
threshold  of  anti-islanding  messages  is  set  to  be  150ms. 

We  also  set  up  a  USRP-based  jammer  with  operational 
bandwidth  of  125KHz.  When  it  is  non-reactive,  it  keeps 
broadcasting  jamming  pulses,  each  of  which  is  sent  on  a 
randomly  selected  channel.  When  it  is  reactive,  it  uses  an 
energy  detector  to  scan  all  8  hopping  channels  one  by  one, 
and  jams  any  on-going  transmission  as  long  as  it  senses  energy 
activity.  The  jamming  pulse  duration  is  set  to  be  1ms. 

C.  Experimental  Results 

First,  we  evaluate  the  impact  of  both  reactive  and  non¬ 
reactive  jammers  on  the  anti-island  application.  We  generate 
camouflage  messages  at  fixed  rates  of  0-30  messages/second 
at  each  IED.  Fig.  2  shows  that  the  message  invalidation 
probability  for  anti-islanding  messaging  as  a  function  of  the 
camouflage  traffic  rate  of  each  IED.  We  can  see  from  Fig.  2 
that  reactive  jamming  always  leads  to  worse  performance 
than  non-reactive  jamming,  indicating  that  we  should  always 
consider  the  reactive  jamming  as  the  worst-case  scenario. 
Thus,  in  the  following,  we  will  only  consider  the  reactive 
jamming.  Fig.  2  also  shows  that  the  message  invalidation  prob¬ 
ability  induced  by  reactive  jamming  is  a  U-shaped  function 


of  the  traffic  load.  We  can  see  that  the  message  invalidation 
probability  decreases  from  41.2%  to  0.82%  as  the  camouflage 
traffic  load  goes  from  0  to  15  messages/second. 

Then,  we  consider  the  delay  performance  with  different 
delay  thresholds  of  150,  190,  and  230ms  under  reactive  jam¬ 
ming.  If  the  delay  threshold  becomes  larger,  we  can  transmit 
the  same  message  more  times  to  ensure  more  reliability. 
Thus,  the  transmissions  have  5,  6,  and  7  hops  (transmission 
attempts)  for  messages  with  delay  thresholds  of  150,  190,  and 
230ms,  respectively.  Fig.  3  shows  that  the  message  invalidation 
probabilities  for  different  delay  thresholds.  We  can  observe 
that  the  minimum  probabilities  are  always  achieved  at  15 
messages/second,  which  in  turn  indicates  that  the  optimal 
traffic  load  is  independent  of  the  delay  threshold. 

Our  experimental  results  show  that  adequately  transmitting 
camouflage  traffic  into  the  network  can  substantially  improve 
the  delay  performance  under  reactive  jamming.  However,  it 
doesn’t  help  improve  the  performance  in  the  case  of  non¬ 
reactive  jamming.  Therefore,  in  a  network  with  no  knowledge 
of  attacks,  an  appropriate  solution  is  to  adaptively  generate 
such  traffic  to  balance  the  network  traffic  load  at  the  optimal 
point,  which  will  be  investigated  in  the  journal  version. 

V.  Conclusion 

In  this  paper,  we  provided  a  study  on  minimizing  the 
message  delay  for  smart  grid  applications  under  jamming 
attacks.  By  defining  a  generic  jamming  process,  we  showed 
that  the  worst-case  message  delay  is  a  U-shaped  function  of 
network  traffic  load.  Thus,  we  show  that  generating  camou¬ 
flage  traffic  is  a  promising  method  to  improve  the  worst-case 
delay  performance  in  the  smart  grid  under  jamming  attacks. 
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